MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20eaf0edffd1aa711a0c05b69d377b9d2c7479a5b3b1e9608977cee511d59599. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20eaf0edffd1aa711a0c05b69d377b9d2c7479a5b3b1e9608977cee511d59599
SHA3-384 hash: a6033db222b019af7f58617f647728c066c71b9b5a6a8aaebb9c66bcb5a61ddbda31b0f6ad910a9d718c9c8fc35acb15
SHA1 hash: 1914ca9d4b3b79cd0342321e619b4283e2f8d558
MD5 hash: 192a6549b847170493ab1ad95387b1c7
humanhash: carpet-utah-avocado-butter
File name:192a6549b847170493ab1ad95387b1c7.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:625'152 bytes
First seen:2021-11-18 09:35:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a7abef23aa4abf8dc36e4de8b3a8ba8f (6 x BazaLoader, 2 x TrickBot)
ssdeep 12288:RJZ6WAZKTmKEbNtqiUjLoox5uqPMhEBSa+kjlhdQcD1g1YbR:RLtAZxtHUjLo4gRhEBXSGb
Threatray 17 similar samples on MalwareBazaar
TLSH T1D8D47D9AF995D070F26781358A739541D5B33C460BA1CEEF6395662E3F32BE01E3A720
Reporter abuse_ch
Tags:BazaLoader BazarBackdoor BazarLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
192a6549b847170493ab1ad95387b1c7.dll
Verdict:
No threats detected
Analysis date:
2021-11-18 09:46:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73fdba4c-79e8-4947-9e38-cef1fdaf8fa3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/207174/
Detection(s):
Win.Trojan.Generickdz-9909590-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61961e864912a8c920a26988/reports/ef8983fd-4d65-437f-8d24-1257ac4443c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/daa8eaad-b685-493a-9a64-c5e42546e00e
Result
Threat name:
BazaLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/891833
Signature
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected BazaLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524303 Sample: lcQEv5fe7s.dll Startdate: 18/11/2021 Architecture: WINDOWS Score: 64 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected BazaLoader 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 6 other processes 7->17 dnsIp5 21 162.33.178.34, 443, 49745, 49823 CORENETUS United States 9->21 27 System process connects to network (likely due to code injection or exploit) 9->27 19 rundll32.exe 13->19         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20eaf0edffd1aa711a0c05b69d377b9d2c7479a5b3b1e9608977cee511d59599/
Threat name:
Win64.Trojan.Reflo
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 03:11:25 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edvpb3p72gvhcgqmaw3j2n33tuwhi6nfwoy6syejo7hokeovswmq._file
Verdict:
malicious
Similar samples:
02c8c4d08cdd2bc230e6ed2676d20867eb4fb733bf254432ac6d339d7406b8f9
BazaLoader
3e69b6d11cc2f8a8ad7ade595cbc423f5501622a6d4859b75b9afa9f4e830607
BazaLoader
46e596461f8ee1fd4d63bd1a2e7366a938e06f19750cfc90a9609edbce7381a1
BazaLoader
485a3c191731de674005bf28bb644672cfcc1bad58abb9b7d0f36d71d2973067
BazaLoader
d34e5b665cf93ee29410445c006bab618e3645aad6607d493b52cb96c23c2859
BazaLoader
dc88a068281fba59a03e3debff037a3b585d5d5f65022d1ecb45bd77fe017de7
BazaLoader
e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d
BazaLoader
f0f9b88d4d64de1994d665652bc7fe166d39a426bbbbe4e84717def386940a29
BazaLoader
+ 7 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211118-lkyamsfce3/
Behaviour
Blocklisted process makes network request
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
20eaf0edffd1aa711a0c05b69d377b9d2c7479a5b3b1e9608977cee511d59599
MD5 hash:
192a6549b847170493ab1ad95387b1c7
SHA1 hash:
1914ca9d4b3b79cd0342321e619b4283e2f8d558
Link:
https://www.unpac.me/results/0a41fd0c-225d-49cd-bb32-2caf3dc10295/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20eaf0edffd1aa711a0c05b69d377b9d2c7479a5b3b1e9608977cee511d59599

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 20eaf0edffd1aa711a0c05b69d377b9d2c7479a5b3b1e9608977cee511d59599

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1766024/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207174/

Comments